systembc | 4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328

Analysis

max time kernel
146s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-06-2023 20:48

Target

file.exe
Size

263KB
MD5

00e2db89532040c67ffd107ce99200ff
SHA1

ecfa050c622f9a8937c241f4612b18e71a10b37f
SHA256

4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328
SHA512

e0db858ada8ab45ce009db7cdc3613496951cc9c27b68dec72586d68dbf605e43e9a4a616418710065a121046c8d03eb77b9131522677d1d1e527ce1b7e89b47
SSDEEP

3072:BgU/XdoE8Rk3EXyEx6lnortV5sEqirdUkx+uzyHvP0AwpRPfMvgpm9jDQi9j0dUR:WUVogdlqP5SLyyEVRPfMJQiUA

Score

10^/10

systembc trojan

Family

systembc

23.95.44.228:53

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 23.95.44.228
Drops file in Windows directory 2 IoCs

Processes:

file.exe

description ioc process

File created C:\Windows\Tasks\wow64.job file.exe
File opened for modification C:\Windows\Tasks\wow64.job file.exe

description	ioc
Destination IP	23.95.44.228

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	file.exe
File opened for modification	C:\Windows\Tasks\wow64.job	file.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1856 wrote to memory of 1752	1856	taskeng.exe	file.exe
PID 1856 wrote to memory of 1752	1856	taskeng.exe	file.exe
PID 1856 wrote to memory of 1752	1856	taskeng.exe	file.exe
PID 1856 wrote to memory of 1752	1856	taskeng.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops file in Windows directory
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {247BBA9D-E428-4CD4-A906-8311D41F2C5C} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe start
2⤵
PID:1752

memory/1728-57-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/1728-58-0x0000000000400000-0x0000000002CE9000-memory.dmp

Filesize
40.9MB

Download
memory/1752-66-0x0000000000400000-0x0000000002CE9000-memory.dmp

Filesize
40.9MB

Download